GitHub’s Popular ‘tar’ & 'arborist' Packages Subject to 7 Code Execution Vulnerabilities

GitHub’s Popular ‘tar’ & ‘arborist’ Packages Subject to 7 Code Execution Vulnerabilities

A total of seven high-severity vulnerabilities have been identified in the npm CLI packages “tar” and “#ntpmcli/arborist.”
Arborist and the tar package receive 300,000 and 20 million downloads a week, respectively. Attackers can exploit these issues to execute arbitrary code by installing untrusted npm packages on both Windows and Unix-based systems.

The zero-day flaws in the Node.js package were discovered by security researchers Philip Papurt and Robert Chen in August. The researchers informed npm about the issues through a bug bounty program.

After a further analysis, the GitHub security team discovered more high-severity bugs in the packages mentioned.
The Node.js tar package is a core dependency that developers use to install packages after their installations. It is also used by thousands of open-source projects. The arborist package is widely used to manage npm CLI tree configurations.
These security issues can cause developers to install unreliable packages on their machines.

The issues may also “result in unexpected arbitrary file overwrites and subsequent code execution when installing untrusted packages… These dependents may also use tar to extract potentially untrusted tar archives,” according to GitHub.

Owing to the issues listed below, the npm package could be abused to overwrite arbitrary files:

“There were seven issues in total. Five separate issues in tar extraction of tar archives were addressed, but only two (CVE-2021-32804, CVE-2021-37713) directly affected npm package installations. In addition, two separate issues in @npmcli/arborist (CVE-2021-39134, CVE-2021-39135) were patched that also directly affected npm package installations,” GitHub’s Mike Hanley explained.
Developers are asked to upgrade their tar dependency version to fix the issues. For npm, versions v6.14.15, v7.21.0, and the ones later have the issue already resolved. Also, the Node.js versions 12, 14, or 16 have the fixed tar version and admins can safely upgrade to these versions.

Image: GitHub

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.